Abort a process when FD ownership is violated

the8472 · the8472 · commit 2e09bf1a1861 · 2024-04-20T23:04:31.000+02:00
When an EBADF happens then something else already touched an FD in ways it is not allowed to.
At that point things can already be arbitrarily bad, e.g. clobbered mmaps.
Recovery is not possible.
All we can do is hasten the fire.
diff --git a/library/std/src/os/fd/owned.rs b/library/std/src/os/fd/owned.rs
@@ -176,7 +176,20 @@ impl Drop for OwnedFd {
             // something like EINTR), we might close another valid file descriptor
             // opened after we closed ours.
             #[cfg(not(target_os = "hermit"))]
-            let _ = libc::close(self.fd);
+            {
+                use crate::sys::os::errno;
+                // ideally this would use assert_unsafe_precondition!, but that's only in core
+                if cfg!(debug_assertions) {
+                    // close() can bubble up error codes from FUSE which can send semantically
+                    // inappropriate error codes including EBADF.
+                    // So we check file flags instead which live on the file descriptor and not the underlying file.
+                    // The downside is that it costs an extra syscall, so we only do it for debug.
+                    if libc::fcntl(self.fd, libc::F_GETFD) == -1 && errno() == libc::EBADF {
+                        rtabort!("IO Safety violation: owned file descriptor already closed");
+                    }
+                }
+                let _ = libc::close(self.fd);
+            }
             #[cfg(target_os = "hermit")]
             let _ = hermit_abi::close(self.fd);
         }
diff --git a/library/std/src/sys/pal/unix/fs.rs b/library/std/src/sys/pal/unix/fs.rs
@@ -870,6 +870,26 @@ impl Iterator for ReadDir {
 
 impl Drop for Dir {
     fn drop(&mut self) {
+        // ideally this would use assert_unsafe_precondition!, but that's only in core
+        #[cfg(all(
+            debug_assertions,
+            not(any(
+                target_os = "redox",
+                target_os = "nto",
+                target_os = "vita",
+                target_os = "hurd",
+            ))
+        ))]
+        {
+            // close() can bubble up error codes from FUSE which can send semantically
+            // inappropriate error codes including EBADF.
+            // So we check file flags instead which live on the file descriptor and not the underlying file.
+            // The downside is that it costs an extra syscall, so we only do it for debug.
+            let fd = libc::dirfd(self.0);
+            if libc::fcntl(fd, libc::F_GETFD) == -1 && errno() == libc::EBADF {
+                rtabort!("IO Safety violation: DIR*'s owned file descriptor already closed");
+            }
+        }
         let r = unsafe { libc::closedir(self.0) };
         assert!(
             r == 0 || crate::io::Error::last_os_error().is_interrupted(),
